Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Bug] CRUD orderByRaw using unsanitized input
See original GitHub issueBug report
What I did
Created a crud for users. I set order by, then added sql command to the request: column%5D=0&order%5B0%5D%5Bdir%5D=asc;UPDATE users SET name=(SELECT password FROM users WHERE id=1) WHERE id=1–&start=0
What happened
What I’ve already tried to fix it
app/Library/CrudPanel/Traits/Query.php:149 return $this->query->orderByRaw($this->model->getTableWithPrefix().‘.’.$column_name.’ '.$column_direction); If I remove lines 148-150, the order functionality remains, but the injection will not run.
Backpack, Laravel, PHP, DB version
When I run php artisan backpack:version the output is:
PHP VERSION:
PHP 7.4.3 (cli) (built: Feb 27 2020 12:36:55) ( NTS ) Copyright © The PHP Group Zend Engine v3.4.0, Copyright © Zend Technologies with Xdebug v2.9.4, Copyright © 2002-2020, by Derick Rethans
LARAVEL VERSION:
v8.28.1@73dd43d92fcde6c6abc00658ae33391397ca119d
BACKPACK VERSION:
4.1.34@d9ec59ab1f9fe03c7106911b5667d912c1cfe1f7
Issue Analytics
- State:
- Created 3 years ago
- Comments:13 (9 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@tabacitu MongoDB and other non-sql db’s are safe because we don’t run
rawsql on them. Also, for example for mongo, Jessengers implements the same fix as we do in the interface for mongo with eloquent.https://github.com/jenssegers/laravel-mongodb/blob/09fcda8d21edfeb49416893bf916e13647d79f4b/src/Jenssegers/Mongodb/Query/Builder.php#L496
Postgres can only speak for the last version with default configurations:
But from my research I found out that PG support stacked queries, so this might be something configurable per instance, or was implemented only in later versions.
Hello @alitak and @tabacitu
After some more research I am pretty sure that by default mysql-php does not allow stacked queries like @alitak pointed out.
But the fact that it does not affect mysql does not make it irrelevant. We went ahead and fixed it in https://github.com/Laravel-Backpack/CRUD/pull/3550
But you stated that is not working for you the fix ? I’v just tested and I cannot submit nothing more than
ascordescasdirparameter.Can you make sure that you have https://github.com/Laravel-Backpack/CRUD/blob/779364646e3b57258b981ff9f1bdcd9887143836/src/app/Http/Controllers/Operations/ListOperation.php#L100
in your project ?
Best, Pedro